I am going to be teaching about various viruses in a class on security for a tech school and I am looking for "safe examples" (ones that are non destructive) that I can use to show the various types that are out there. Macro, Trojan, etc.
Does anyone know where I can find something like this?
I normally grab various malware variants from these sites when I need to analyze their behavior, etc...
Your best option might be to build a small vmware network and make sure its not connected to the internet when demoing a bots or worms that don't require user interaction to spread. Most of the newer malware is smart enough to detect a VM environment though and will change their behavior accordingly so this might limit your demonstrations.
I've heard if you set up dns capabilities for the vmed box the malware can sometimes be fooled. At least that is what a presenter was saying at the last conference I attended on Malware forensics. I'm sure someone here will have more on that though.
Thanks for the links. Unfortunately I asked about setting up a VM environment and because it is a shared lab and not secure the powers that be will not allow it.
I found a couple of testers with sigs that anti virus will alert on and show how they can work if it was a real virus. I may have to be satisfied with that and just show the code of some that were caught in the wild.
As for detecting VM environments, there are various methods for this, some of which are :
Detecting VME artifacts in the registry or processes. - I think some variants of Phatbot do this. Detecting VME artifacts in memory. Detecting VME specific processor instructions. Looking for specific virtual hardware.
Joanna Rutkowska's Red Pill was written to detect virtual machines by figuring out the location of the Interrupt Descriptor Table and based on the location determine if the OS was running in a VM or not.